Hi there,
On Mon, 18 May 2020, Bud Rozwood via clamav-users wrote:
I ran clamscan on my ~/.thunderbird directory and clamscan detected these
files (log attached) as threats. I didn't know what to do with them or if I
should worry so I decided to post them as described in the FAQ. I've at least
quarantined them to a separate directory, which I'm not sure if it was wise
or not but thunderbird still appears to be working.
There are many files and directories stored in your home directory
whose names start with a 'dot'. They contain all sorts of things such
as personal configuration of the tools that you use (like Thunderbird
and whatever browser), and personal 'state' data such as your address
book, browsing history, display settings and many, many other things.
Often they'll sit there for years, doing nothing but use up disc space
because for example you don't use that tool any more.
Deleting any of these won't normally break the tool - its code isn't
normally in your home directory - but in the case of something like
Thunderbird it might mean that you lose all your mail, and need to
start again with things like setting up your mail services, so it's
still a good idea to ask here before you do anything rash.
Advice?
There's some below, and plenty more is available in the list archives.
On a point of mailing list order, please don't post megabytes of logs
to a mailing list which - will then send out your message to thousands
of people. Better to send a short first message explaining the issue,
and let people ask you about the logs if they want to see them, or if
they can help you with them in other ways.
When you tell us what you found, tell us exactly how you found it.
That means show us the exact command(s) that you used. It will help
if you tell us something about the system, and how it is used. I did
once have a crystal ball, but it never seemed to work quite right and
in the end I sold it to a gypsy. We might need to know a little about
the configuration of ClamAV on your system. We will need to know what
user executed the command, because different users on your system have
different permissions to do things and this is important if e.g. you
move files to quarantine (or delete them). By the way there is only
one 'u' in quarantine, which might seem trivial but it can cause a lot
of confusion if you spell things wrongly in commands. If you had read
some of the advice already posted on this list you would also probably
not have told clamscan to move any files in the first place, and might
perhaps have saved yourself some effort (and even some worry).
Actually READ what the logs say. There were in total 24,978 lines in
the file you posted. The entire information in that 3.4 megabyte file
consisted of exactly 24 distinct lines, and can be condensed with no
loss of information into less than 2,000 characters. The '$' symbol,
at the start of a line below (which shows the command that was used to
get the output shown on the following lines) is just the 'bash' shell
prompt; the rest of that one line is the command that was typed. You
get used to these things. :)
8<----------------------------------------------------------------------
$ cat clamscan-2020-05-18-1902.log | uniq -c | wc
24 103 1943
8<----------------------------------------------------------------------
Three of those lines were repeated over 8,000 times each:
8<----------------------------------------------------------------------
$ cat clamscan-2020-05-18-1902.log | uniq -c
1
1
-------------------------------------------------------------------------------
1
1
/home/bud/.thunderbird/r68mrpoy.default-default/ImapMail/imap.gmail.com/[Gmail].sbd/Important:
Email.Exploit.Efail-6543463-0 FOUND
1
/home/bud/.thunderbird/r68mrpoy.default-default/ImapMail/imap.gmail.com/[Gmail].sbd/Important:
moved to 'quaruntine_files//Important'
1
/home/bud/.thunderbird/r68mrpoy.default-default/ImapMail/imap.gmail.com/INBOX:
Email.Exploit.Efail-6543463-0 FOUND
1
/home/bud/.thunderbird/r68mrpoy.default-default/ImapMail/imap.gmail.com/INBOX:
moved to 'quaruntine_files//INBOX'
8390
/home/bud/.thunderbird/r68mrpoy.default-default/ImapMail/imap.gmail-1.com/[Gmail].sbd/Important:
Heuristics.Phishing.Email.SpoofedDomain FOUND
1
/home/bud/.thunderbird/r68mrpoy.default-default/ImapMail/imap.gmail-1.com/[Gmail].sbd/Important:
moved to 'quaruntine_files//Important.001'
8162
/home/bud/.thunderbird/r68mrpoy.default-default/ImapMail/imap.gmail-1.com/[Gmail].sbd/All
Mail: Heuristics.Phishing.Email.SpoofedDomain FOUND
1
/home/bud/.thunderbird/r68mrpoy.default-default/ImapMail/imap.gmail-1.com/[Gmail].sbd/All
Mail: Legacy.Trojan.Agent-37061 FOUND
1
/home/bud/.thunderbird/r68mrpoy.default-default/ImapMail/imap.gmail-1.com/[Gmail].sbd/All
Mail: moved to 'quaruntine_files//All Mail'
8405
/home/bud/.thunderbird/r68mrpoy.default-default/ImapMail/imap.gmail-1.com/INBOX:
Heuristics.Phishing.Email.SpoofedDomain FOUND
1
/home/bud/.thunderbird/r68mrpoy.default-default/ImapMail/imap.gmail-1.com/INBOX:
moved to 'quaruntine_files//INBOX.001'
1
1 ----------- SCAN SUMMARY -----------
1 Known viruses: 6985448
1 Engine version: 0.102.3
1 Scanned directories: 22
1 Scanned files: 139
1 Infected files: 5
1 Data scanned: 13149.12 MB
1 Data read: 10896.21 MB (ratio 1.21:1)
1 Time: 3873.536 sec (64 m 33 s)
8<----------------------------------------------------------------------
Five lines show that the files which caused the alerts have been moved.
There are six interesting lines. They show a total of only three
distinct threats:
8<----------------------------------------------------------------------
$ cat clamscan-2020-05-18-1902.log | uniq -c | grep FOUND | cut -d':' -f2 |
sort | uniq
Email.Exploit.Efail-6543463-0 FOUND
Heuristics.Phishing.Email.SpoofedDomain FOUND
Legacy.Trojan.Agent-37061 FOUND
8<----------------------------------------------------------------------
What you actually do about these things depends on how much damage,
loss or work you think might be involved in the several alternative
courses of action. If you're really worried, it's probably best just
to pull the plug and use a different computer to ask for advice. Most
of the time threats will be of no consequence on a Linux box because
they'll be targeted at other operating systems, but you can't take
anything for granted. Spend some quality time with the documentation
and get a feel for how you can look for information about individual
threats. If it's something with 'Windows' or 'Phish' in its name
you'll probably feel safer than if it says 'Linux'. Ask here if you
have trouble finding the information or understanding it.
Learn how to use the tools available to you, for example things I've
shown above, and what I show below:
8<----------------------------------------------------------------------
$ grep Phish clamscan-2020-05-18-1902.log | wc -l
24957
8<----------------------------------------------------------------------
There were 24957 references to 'Phishing', which we can probably say
aren't worrying unless you're prone to believing everything that you
read in your mail. Your mail hygiene and general housekeeping skills
might be a little more worrying.
8<----------------------------------------------------------------------
$ grep -v Phish clamscan-2020-05-18-1902.log | wc -l
21
8<----------------------------------------------------------------------
A total of 21 lines in your log did NOT contain the word 'Phish'.
Now a little more involved, looking at the first signature identified.
I hope your mail reader doesn't screw all this up. This is all plain
text (I never send HTML mail, and neither should you, when you send
mail to a mailing list).
8<----------------------------------------------------------------------
$ sigtool --datadir=/var/lib/clamav/databases/ -fEmail.Exploit.Efail-6543463-0
| sigtool --decode-sigs
VIRUS NAME: Email.Exploit.Efail-6543463-0
TDB: Engine:81-255,Target:4
LOGICAL EXPRESSION: 1
* SUBSIG ID 0
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
Content-Type:
text/html{WILDCARD_ANY_STRING}--{WILDCARD_ANY_STRING}Content-Type: text/html
* SUBSIG ID 1
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
+-> TRIGGER: 0
+-> REGEX:
Content-Type:\x20text\x2fhtml[\S\s]+?\x3c[^\x3e]+?[\x22\x27]?(https?|ftp|file|telnet):\x2f\x2f[^\x22\x27\x3e]+?\x2d\x2d[^\x3e]+?\x0aContent-Type:\x20text\x2fhtml
+-> CFLAGS: is
8<----------------------------------------------------------------------
This signature is just looking for plain text in a mail message. Most
likely it would never have got past my mail filters in the first place
and if it had, I'd have made sure that nothing like it ever did again.
I've have lost no sleep over it at all. I'll leave you to look into
the other two alerts as a useful exercise.
Thankfully my days of suffering customers' Windows boxes are now over
and I personally never bother to scan any Linux box with ClamAV. In
my judgement, prevention is much better than discovery after the fact.
HTH. :)
--
73,
Ged.
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
